Question with using ssl of apache plug-in

Similar Messages

• Some General Questions about using SSL sockets

  1 Since both SSL and TLS rely on public-key cryptography, can I use it efficiently for encrypting large amount of data transfer within a network? Or I�ll be better off using secret key.
  2 If I understand correctly, I can install client/server certificate (public key) along with the software installation. Is that right? In other words, I don�t have to create them programmatically.
  3 To convert our unsecured client/server application, is it enough to replace plain sockets with SSL sockets and use a self signed certificate for the server? (Ours is a closed network and we don�t require any client authentication).
  4 How does SSL handles server to server communications?
  5 How do you encrypt data ( some of the fields) in a text file?
  Thank you all.

  hey there.
  1.yes you can use it to encrypt large amounts of data, and heres why:
  when you use SSL, it uses public key encryption to first tranfser across a private key. then from then on the data is simply private key encrypted, which is relatively fast and easy.
  2. Yes, you may chose to make them programatically or not
  4. the question doesn't really make sense. In the end, what is a Server and what is a Client is up to your application. From SSL's point of view, you just have two machines with Sockets on either side that are connected. You can use SSLSocket.setClientMode(boolean) to choose which of those socket will act as the "server" for the purpose of the authentication handsake.

• Using ssl on WebLogic, not on Apache

  Hi Folks,
  This is probably a really obvious question, though I can't seem to figure it.
  Does anyone know if Apache plug-in supports SSL between the browser and WebLogic
  ? For example, can it then get a session id from the request, so it can keep
  sticky sessions ?
  Maybe it can work if session id's go into URL instead of cookie, or such.
  thanks in advance!
  John

  Hi, I have the exact same setup and the exact same error message in the logs. It does not seem to mather if I use the module that offers 128bit encryption or the standard one.
  Group/User permisions do not make any diffrence.
  So me being the weird person I am tried libs that come with service pack 3. This solved the problem.
  It seems that this service pack 5 has a little problem with this version of redhat and or with this version of apache...
  I hope this works for you as well.

• Load Balancing with BigIP / SSL question

  I have an oddball question. We're load balancing ColdFusion
  MX7 across 3 servers using a BigIP load balancing server. We
  decided to go the hardware approach and it has been great except
  for one small configuration issue.
  We use a mix of SSL and non SSL pages, prior to the switch
  from a single server to a load balanced setup I used to script that
  would determine if a page that was supposed to be SSL had the
  variable CGI.HTTPS turned on or off. If it was off, the page would
  redirect back to itself with the SSL turned on.
  The problem we have is that we followed BigIP's instruction
  to secure the load balancing hardware instead of the three servers
  running behind it. So what happens is that the traffic goes to the
  load balancer port 441, but then the calls from the load balancer
  to the individual servers is port 80. So even if a page is called
  as HTTPS://... the coldfusion server says that CGI.HTTPS is "off"
  since the traffic is port 80.
  This isn't much of a problem, our SSL pages are linked as
  HTTPS:// and the only problem would actually arise if someone was
  to type in the URL and call it as HTTP rather than HTTPS.
  My questions is this, does anyone know of a way that I can
  detect if the page should be HTTPS and is not without changing our
  configuration and putting SSL certificates on each individual
  server?

  Hey,
  Well the load balancing with the BigIP device is really very
  amazing. I think
  what i liked most was swapping out servers when their lease
  was up, through the
  BigIP manager I just stopped all traffic to a server, shut it
  down, plugged in
  the new one and turned traffic back on. It was really very
  easy.
  The SSL stuff still gives me a headache to think about. but
  I should mention I
  no longer work where I was, plus now I'm all .net C# but
  that's a different
  story.
  I think if I was going to do this all again I would not have
  secured the bigIP
  unit. It was nice to buy one SSL cert for all the servers I
  attached rather
  than one per server, but getting the SSL sites to work
  properly was a headache.
  We also use windows file replication where now I would go
  with like a pair of
  Dell MD1000's mirrored for storage and just have tons of ram
  and cpu on the
  front end units. Depends what you want to spend I guess. I
  think the bigIP unit
  we bought was like 20 grand, i think they are cheaper now
  though.
  Hope I helped.

• Apache 1.3.12 running with Raven SSL Proxy

            Hi All,
            I am currently having an issue clustering 2 WLS 5.1 sp8 app servers using Apache
            1.3.12 with the Raven SSL 1.4.3 plugin. (All on Solaris 7)
            Here is my scenario:
            The cluster "seems" to work. A session is processed fine on it's primary server,
            while the session information is replicated to the secondary server.
            Yet when we crash the primary server to test failover, all of the sessions on the
            primary server are lost and NOT processed by the secondary server. It is almost
            like the cookie was not updated to reflect that the primary had gone down, so the
            secondary server does not know it is now the primary.
            Any ideas?.. As long as the primary does not fail the system works fine.. so I know
            the sessions are being directed to the correct server the rest of the time, just
            not during failover.
            NOTE: I have had no problems with failover using Apache Stronghold using the mod_wl_ssl.so
            proxy, this problem only seems to occur with the Apache using Raven SSL and the mod_wl_ssl_raven.so
            proxy. Is there a bug with this proxy?
            Thank you for any ideas.
            -Nick
            

  The Web server plug-ins do not natively support outbound SSL connections
  yet(i.e. SSL from the plug-in to WebLogic). This is a feature for version
  6.0. You can use SSL from the browser to Apache or from the browser to
  WebLogic directly.
  The majority of our customers use strict firewall rules to protect the
  traffic between Apache and WebLogic. If they are paranoid, they use an SSL
  proxy or a VPN product.
  Thanks,
  Michael
  Michael Girdley
  BEA Systems Inc
  "Josh Kwan" <[email protected]> wrote in message
  news:39d4e8a5$[email protected]..
  >
  Hello,
  I want to know how to connect Apache 1.3.12 with mod_ssl to BEA WebLogic5.1.0 on Solaris via HTTPS. I have heard that this can only work over t3...
  is that true? If so, how can it be done securely? If that isn't the case,
  how can httpd.conf/weblogic.conf be configured on the Apache server to talk
  to the WebLogic server on port 7002? Both of the machines I am using are
  running Solaris 7 with necessary patches. I have installed SP5 for WebLogic
  and I have copied mod_wl.so and mod_wl_ssl.o to the Apache server for
  inclusion as modules.
  >
  The two servers communicate correctly over HTTP, but I want to be able toserve some JSPs via HTTPS from the WebLogic server through the Apache web
  server. I have generated all the required CA and server certificates for
  each server, and they both individually answer HTTPS requests, but do not
  work when an HTTPS request is sent to the Apache server for a JSP that is
  served from the WebLogic server. I read somewhere in the documentation for
  5.1.0 that WebLogic will communicate via HTTPS to various web and proxy
  servers.
  >
  Any help would be greatly appreciated... thanks!
  Regards,
  Josh Kwan
  Sr. Systems Engineer
  iXL

• Problems with connecting to MacOS X Snow Leopard Server using SSL

  I can successfully connect to my SL mail server if I do not enable SSL, but if I do enable SSL the iPhone mail client just fails to connect with a message "Cannot Get Mail - The connection to the server "servername" failed". I have set SSL to ON in Mail preferences, but I cannot see how to install the server's certificate. With most mail clients it seems like the server's certificate gets installed the first time you try and retrieve mail, but this does not happen with the iPhone.
  The reason I am having to switch SSL on is that I have a number of PC mail clients, and it does not seem as if any of the various versions of Outlook support any form of authentication other than plain text (except NTLM or SPA, which are not supported by MacOS X Server, probably because they are MS proprietary). So I think I will probably have to fall back to a plain text login, but using SSL to secure the process.
  Excuse me if I have misconstrued any aspect of this, but it is based on what I have been able to trawl up so far in an extremely under-documented area.
  I have looked at the iPhone documentation but it is very sketchy in the area of SSL implementation. For example the iPhone User Guide just says "To adjust SSL and password settings, tap Advanced. Ask your network administrator or Internet service provider for the correct settings."

  Thanks for the suggestion, but the question is really to do with how to get an SSL certificate onto an iPhone since the normal way of doing this with an email client doesn't happen.
  I have posted a reply in a thread in the SL Server section regarding the best way to cope with Outlook clients, which is the question the other way around. Essentially what I need is one form of secure authentication which works for both iPhones and Outlook - and this doesn't seem to be possible on the basis of my experience so far.
  So back to my question - how do you connect from an iPhone to a mail server which requires SSL?

• Error NO_RESOURCES when using Apache Plug-in for Weblogic

  Hi all,
  LoadModule weblogic_module modules/mod_wl.so
     OS.....: OEL 6.3 64 bits
     Weblogic Server: 12.1.0.2 (192.168.0.123)
     Apache: Apache/2.2.15 (Unix) (192.168.0.149)
     I am trying to configure the Apache Plug-in to forward the requests to the Weblogic Server. I already did all the configuration, but when i try to access a page, i get the following error in Apache's error.log:
  [Wed Dec 03 18:25:42 2014] [error] [client 192.168.0.149] <649114176419322> weblogic: *******Exception type [NO_RESOURCES] (apr_socket_connect call failed with error=13, host=192.168.0.123, port=7006 ) raised at line 1682 of URL.cpp
  [Wed Dec 03 18:25:42 2014] [error] [client 192.168.0.149] weblogic: Trying GET /benefits/ at backend host '192.168.0.123/7006; got exception 'NO_RESOURCES: [os error=13,  line 1682 of URL.cpp]: apr_socket_connect call failed with error=13, host=192.168.0.123, port=7006 '
  [Wed Dec 03 18:25:44 2014] [error] [client 192.168.0.149] <649114176419322> weblogic: request [/benefits/] did NOT process successfully..................
     My httpd.conf if configured as follows:
  Listen 8080
  LoadModule weblogic_module modules/mod_wl.so
  <IfModule mod_weblogic.c>
     WeblogicHost 192.168.0.123
     WeblogicPort 7006
  </IfModule>
  <Location /benefits>
     SetHandler weblogic-handler
  </Location>
  When i try to access the app deployed in Weblogic with the following address: "http://192.168.0.149:8080/benefits/" , i get the error mentioned above and the following error is displayed in my browser:
     Failure of Web Server bridge:
     No backend server available for connection: timed out after 10 seconds or idempotent set to OFF or method not idempotent.
  What am i doing wrong?
  Thanks in advance.

  Hi all,
  I had some progress... i disabled the firewall (SELinux) on the Apache server. Before, i had just disabled the firewall from the Weblogic Server. Now, when i access the apache server, it redirects (sometimes, actually) the request to my Weblogic Cluster. Let's say that 50% of the time it works and the other 50% i get the error informed previously.
     I am using the apache user and the ulimit of this user is:
        [apache@vm-apache conf]$ ulimit -a
  core file size          (blocks, -c) 0
  data seg size           (kbytes, -d) unlimited
  scheduling priority             (-e) 0
  file size               (blocks, -f) unlimited
  pending signals                 (-i) 15915
  max locked memory       (kbytes, -l) 64
  max memory size         (kbytes, -m) unlimited
  open files                      (-n) 1024
  pipe size            (512 bytes, -p) 8
  POSIX message queues     (bytes, -q) 819200
  real-time priority              (-r) 0
  stack size              (kbytes, -s) 8192
  cpu time               (seconds, -t) unlimited
  max user processes              (-u) 1024
  virtual memory          (kbytes, -v) unlimited
  file locks                      (-x) unlimited
     From the Apache server (192.168.0.149), when i execute the "culr" command, i get the following message:
        [apache@vm-apache conf]$ curl http://192.168.0.123:7006/benefits
        <html><head><title>302 Moved Temporarily</title></head>
        <body bgcolor="#FFFFFF">
        <p>This document you requested has moved temporarily.</p>
        <p>It's now at <a href="http://192.168.0.123:7006/benefits/">http://192.168.0.123:7006/benefits/</a>.</p>
        </body></html>
     The message above represents a OK situation or a problematic one?
     Below you can see the last few lines of my Error Log and Access Log:
     ### error log ###
  [Thu Dec 18 20:54:16 2014] [error] [client 192.168.0.123] <340514189468553> weblogic: parseJVMID: could not resolve hostname '-1062731653'. Returning NULL from parseJVMID 
  [Thu Dec 18 20:54:16 2014] [error] [client 192.168.0.123] <340314189468563> weblogic: parseJVMID: could not resolve hostname '-1062731653'. Returning NULL from parseJVMID
  [Thu Dec 18 20:54:17 2014] [error] [client 192.168.0.123] File does not exist: /var/www/html/favicon.ico
  [Thu Dec 18 20:54:17 2014] [error] [client 192.168.0.123] File does not exist: /var/www/html/favicon.ico
  [Thu Dec 18 20:54:21 2014] [error] [client 192.168.0.123] <340114189468603> weblogic: parseJVMID: could not resolve hostname '-1062731653'. Returning NULL from parseJVMID, referer: http://192.168.0.149:8080/benefits/
  [Thu Dec 18 20:54:44 2014] [error] [client 192.168.0.149] <339814189468792> weblogic: parseJVMID: could not resolve hostname '-1062731653'. Returning NULL from parseJVMID
  [Thu Dec 18 20:54:44 2014] [error] [client 192.168.0.149] <339814189468792> weblogic: initJVMID: parseClusterServerList failure
  [Thu Dec 18 20:54:45 2014] [error] [client 192.168.0.123] <339914189468844> weblogic: parseJVMID: could not resolve hostname '-1062731653'. Returning NULL from parseJVMID, referer: http://192.168.0.149:8080/benefits/servlet
  [Thu Dec 18 20:54:45 2014] [error] [client 192.168.0.123] <339914189468844> weblogic: initJVMID: parseClusterServerList failure, referer: http://192.168.0.149:8080/benefits/servlet
  [Thu Dec 18 20:54:56 2014] [error] [client 192.168.0.149] <339814189468792> weblogic: request [/benefits/welcome.html] did NOT process successfully..................
  [Thu Dec 18 20:54:57 2014] [error] [client 192.168.0.123] <339914189468844> weblogic: request [/benefits/welcome.html] did NOT process successfully.................., referer:http://192.168.0.149:8080/benefits/servlet
     ### access log ###
  192.168.0.123 - - [18/Dec/2014:20:54:15 -0300] "GET /benefits HTTP/1.1" 302 267 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.5) Gecko/20120605 Firefox/10.0.5" 
  192.168.0.123 - - [18/Dec/2014:20:54:16 -0300] "GET /benefits/ HTTP/1.1" 200 5832 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.5) Gecko/20120605 Firefox/10.0.5"
  192.168.0.123 - - [18/Dec/2014:20:54:17 -0300] "GET /favicon.ico HTTP/1.1" 404 290 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.5) Gecko/20120605 Firefox/10.0.5"
  192.168.0.123 - - [18/Dec/2014:20:54:17 -0300] "GET /favicon.ico HTTP/1.1" 404 290 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.5) Gecko/20120605 Firefox/10.0.5"
  192.168.0.123 - - [18/Dec/2014:20:54:20 -0300] "POST /benefits/servlet HTTP/1.1" 200 492 "http://192.168.0.149:8080/benefits/" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.5) Gecko/20120605 Firefox/10.0.5"
  192.168.0.149 - - [18/Dec/2014:20:54:39 -0300] "GET /benefits/welcome.html HTTP/1.1" 503 250 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.5) Gecko/20120605 Firefox/10.0.5"
  192.168.0.123 - - [18/Dec/2014:20:54:44 -0300] "GET /benefits/welcome.html HTTP/1.1" 503 250 "http://192.168.0.149:8080/benefits/servlet" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.5) Gecko/20120605 Firefox/10.0.5"
  Is there any additional or recommended configuration for this solution to work properly?
  Thanks again for the attention and pacience.

• Reconfigure Active Directory External Authentication plug in to use ssl

  Assuming this is the proper place to post this question:
  I've quickly gone through the IM integration documentation trying to find out how to reconfigure the ad external auth plugin to use ssl and have come up empty handed. Does anyone know how to do this? Should I just rerun oidspadi.sh?
  Also, where can i view the configuration information that was entered the last time this was configured?
  thanks for any help!
  chris

  Rerun oidspadi.sh and select SSL option. You can get adwhencompare and adwhenbind plug-ins detail under plug-in management in Oracle directory manager.

• Question about the Apache plug-in and WL server

  We have a bunch of Weblogic app-servers, and I want to set up Apache servers to
  front-end them. Here is what I'd like to do:
  (1) Load balancer forwards requests to one of Apache servers
  (2) Apache serves the static content (html,gif,css etc.)
  (3) Apache servers forward the request to one of the alive Weblogic servers, with
  requests for the same Weblogic session should preferably stay with the same Weblogic
  server.
  The catch is that we are not using Weblogic clustering - we have our own application-specific
  light-weight clustering (virtually no replication of dynamic state). All I want
  is that the Apache plug-ins keep forwarding the packets to the same Weblogic server
  for a session (unless the server dies), and that thsi property hold even if multiple
  client requests (for the same session) are rotated across multiple Apache servers.
  The first is really important, the second just nice-to-have (I can setup load-balancer
  with sticky sessions if needed).
  The Apache plug-in documentation seems to suggest that we must use Weblogic clustering
  for us to be able to specify multiple Weblogic servers in the plug-in config file,
  but is that really required?
  Second, does the session cookie uniquely identify the Weblogic server or does
  the Apache plug-in keep the mapping between the cookie and the server? Also, does
  this answer depend on whether we use Weblogic clustering or not?
  The answer depends on the protocol between the Apache plug-in and the Weblogic
  server. Is it documented? Available under NDA?
  Your help will be really appreciated!!
  thanks
  -amit

  is that the Apache plug-ins keep forwarding the packets to the same Weblogic
  server
  for a session (unless the server dies), If the session id is found in the cookie, request or postdata (in that order),
  the plugin will preserve the sticky session.
  and that thsi property hold even
  if multiple
  client requests (for the same session) are rotated across multiple Apache
  servers.The rules apply to all apache instances as the single instance.
  BTW, the preferred server from the session has to be in the serverList(you defined
  in the httpd.conf). You are not using clusters in the backend hence the server
  list will not be updated
  dynamically. The plugin will not know the changes in the backend without modifying
  the httpd.conf and restarted.
  The first is really important, the second just nice-to-have (I can setup
  load-balancer
  with sticky sessions if needed).
  The Apache plug-in documentation seems to suggest that we must use Weblogic
  clustering
  for us to be able to specify multiple Weblogic servers in the plug-in
  config file,
  but is that really required?
  It's a recommended configuration, but not mandatory.
  Second, does the session cookie uniquely identify the Weblogic server
  or does
  the Apache plug-in keep the mapping between the cookie and the server?The server info is in the cookie for the same client although
  the plugin also maintains a list of servers.
  Also, does
  this answer depend on whether we use Weblogic clustering or not?
  No.
  The answer depends on the protocol between the Apache plug-in and the
  Weblogic
  server. Is it documented? Available under NDA?
  Your help will be really appreciated!!
  We only support http and https(60sp1 or later).

• WLS with the HttpClusterServlet or Apache with proxy plug-in?

  I'm newbie with WebLogic Server cluster.
  Please tell me which is better for load balancing for WLS cluster? WLS with the HttpClusterServlet or Apache HTTP Server Plug-In? And which is recommended for production environment?
  Many thanks.

  Apache with plug-in, as this is easier configurable.
  For the HttpClusterServlet all the configuration goes into web.xml which has to be packaged as a war file and deployed to WebLogic.
  When any change is needed you have to edit the web.xml file, package it again and redeploy it.
  An example of the Apache plug-in set-up can be found here: http://middlewaremagic.com/weblogic/?p=7795 (the load balancing section)
  Or if you want to use the Oracle Web-Tier (which includes a precompiled Apache HTTP server): http://middlewaremagic.com/weblogic/?p=7819 (the load balancer section)

• Configuring SquirrelMail to use SSL with SMTP

  I ran the conf.pl script to have SquirrelMail access my IMAP server via SSL, and everything works.
  I then tried to use SSL with SMTP as well but when I used SquirrelMail to send mail, I got an error saying "Can't open SMTP stream". What is the correct setting to tell conf.pl to use?
  I had secure SMTP enabled and chose CRAM-MD5 for the authentication method.
  I actually have my web server and smtp server on the same machine, so this is more of a hypothetical question. In the end I turned off secure SMTP and set authentication back to none.
  Ben

  I don't have access to logs right now, but to answer your other question, SSL works fine when sending from Mail.
  But with Mail, I supply the username and password; which user does SquirrelMail use to send?

• I am going to buy unlocked iphone 5.. i will be going to india nxt months and will stay there for a while... so my question is will i get warrenty in india.. and will there be any problem with using indian sims..?? thnx for the help..

  i am going to buy unlocked iphone 5.. i will be going to india nxt months and will stay there for a while... so my question is will i get warrenty in india.. and will there be any problem with using indian sims..?? thnx for the help..

  The warranty for the iPhone is not and has never been International.
  Warranty and support are ONLY valid in the country of origin.  The only exception is the EU where the entire EU is treated as one country.
  If the device will be used in India, buy it in India.
  An unlocked iPhone will work on any supported GSM carrier world wide.  The LTE portion of a US purchased, unlocked iPhone is unlikely to work outside North America as it does not support the appropriate bands used in other countries.

• How to configure Oracle 10g Advanced Security to use SSL concurrently with

  How to configure Oracle 10g Advanced Security to use SSL concurrently with database User names and passwords
  In Oracle Advanced Security Documentation it is mentioned that i can use SSL concurrently with DB user names and passwords. But when i configure the client certificate on the client my DB connection is getting authenticated using the certificate, which out passing user id or password.
  We want to connect to Oracle DB over SSL channel so that the data packets are not in clear text. Also we want the user to make a connection using user id and password.
  Basically we want SSL with out authentication.
  Need your expert advice

  Read the documentation (I have given following links assuming you are running a 32 bit architecture)
  Server installations:
  http://www.oracle.com/pls/db102/to_toc?pathname=install.102%2Fb14316%2Ftoc.htm&remark=portal+%28Books%29
  Client installations:
  http://www.oracle.com/pls/db102/to_toc?pathname=install.102%2Fb14312%2Ftoc.htm&remark=portal+%28Books%29
  You can find the required books (if not using 32 bit architecture) from
  http://www.oracle.com/pls/db102/portal.portal_db?selected=3

• Installed the ios 7.0.2 update to my iphone 4, now it is stuck on a screen with itunes icon and power plug.  is this corect? I am unable to use the phone now.  What should i do next? I plug in to itune in my computer and ask me to restore my phone?

  installed the ios 7.0.2 update to my iphone 4, now it is stuck on a screen with itunes icon and power plug. 
  I am unable to use the phone now.  What should i do next? I plug in to itune in my computer and ask me to restore my phone? I will loose all my date?

  I hooked up itune and restore.  after finished restores, it said my phone is in recovery mode and needs to be finish before using itune, my screen still show the itunes icon and power plug

• Cannot download a file with internet explorer 6 using SSL connection

  Hello,
  I am working on a application that uses SSL. But when the clicks a button to donwload a file using IE 6 or IE 7, internet explorer shows a error message saying that "The internet explorer cannot open this site". This error dont occur in Firefox, but i have to use Internet Explorer. And the error occurs only if i use https, with http it works fine.
  I search the net and i found that internet explorer has a bug, that when the server sends the http header "Pragma: no-cache" or "Cache-control: no-cache,max-age=0,must-revalidate", then the internet explorer doesnt cache the file, and i cannot open it. See here: http://support.microsoft.com/kb/316431/en-us
  My problem is that OC4J appears to send this headers automatically. I am using Oracle Enterprise Manager 10g Application Server Control 10.1.3.3.0. Here, is my code to send the file:
  HttpServletResponse response = (HttpServletResponse)
  FacesContext.getCurrentInstance().getExternalContext().getResponse();
  response.setContentType("application/x-download");
  response.setHeader("Content-Disposition", "attachement; filename=\"file.pfx\"");
  response.setContentLength((new Long(myFile.length())).intValue());
  OutputStream out=null;
  try {
  out = response.getOutputStream();
  fis = new FileInputStream(myFile);
  int n;
  while ((n = fis.available())> 0) {
  b = new byte[n];
  int result = fis.read(b);
  out.write(b, 0, b.length);
  if (result == -1) break;
  out.flush();
  out.close();
  } catch (Exception e){
  throw new DownloadException("Erro ao enviar arquivo para o stream de download.");
  finally{
  FacesContext.getCurrentInstance().responseComplete();
  You can see that i not send that headers in this code.
  Here, is the headers sent to IE when i use https.
  HTTP/1.x 200 OK
  Date: Wed, 07 May 2008 17:40:28 GMT
  Server: Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server
  Pragma: no-cache
  Cache-Control: no-store
  Surrogate-Control: no-store
  Expires: Thu, 01 Jan 1970 12:00:00 GMT
  Content-Length: 5208
  Set-Cookie: JSESSIONID=ac1002292008f788e14d0d6e40c29f3185f2fc72e5b9.e3eTb3mTb3yKe34SbhqOaxyTe6fznA5Pp7ftnR9Jrl0; path=/actcers; secure
  content-disposition: attachement; filename="file.pfx"
  Keep-Alive: timeout=15, max=74
  Connection: Keep-Alive
  Content-Type: application/x-download
  I hope that someone can helpme.
  Tanks
  Message was edited by:
  user635088

  Hi!
  I don't have a solution fou you, just a few ideas =)
  You can check what headers response contains with
  response.containsHeader( "your_header_here");
  http://java.sun.com/j2ee/sdk_1.2.1/techdocs/api/javax/servlet/http/HttpServletResponse.html#containsHeader(java.lang.String)
  after that you could set/overwrite those headers that you don't like with, for example:
  response.setHeader("Cache-control", "no-cache,max-age=0,must-revalidate");
  Aparently Pragma and Cache-control headers should be used in pair, as noted here
  http://curl.haxx.se/mail/archive-2005-12/0003.html
  quote:"The author of Bad Behavior points out that RFC2616 requires that a
  Pragma: header to be accompanied by a Cache-Control: header. From what I
  see, it only says "SHOULD" (in section 14.32), but that is still a
  strong recommendation and something to be considered, IMHO."
  I'm a bit sceptical about you needing to cache the file, but if you feel strong about it, you could read this
  http://www.mnot.net/cache_docs/#META
  If you're working on SSL there is supposed to be some kind of validation, certificate or something like that. IE6 and 7 both have strong security measures in these regards. Maybe you should look something up in that direction.
  Hope I helped.